From 776b832a630112b4da17777e0179512616dbbc39 Mon Sep 17 00:00:00 2001 From: Michael Torres Date: Fri, 13 Oct 2023 10:23:50 -0700 Subject: [PATCH] Map non-keyword ICMP types to their numeric code. Without this change, policies with types that don't map to keywords aren't valid syntax PiperOrigin-RevId: 573255137 --- capirca/lib/nftables.py | 19 +++++++++++++++++-- policies/pol/sample_nftables-mixed-icmp.pol | 2 +- tests/lib/nftables_test.py | 4 ++-- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/capirca/lib/nftables.py b/capirca/lib/nftables.py index 993e7a0b..fa17c620 100644 --- a/capirca/lib/nftables.py +++ b/capirca/lib/nftables.py @@ -127,7 +127,8 @@ def MapICMPtypes(self, af, term_icmp_types): If we encounter certain keyword values in policy.Term.ICMP_TYPE keywords, we override them with NFTable specific values in order for rendered - policy to be semantically correct with what NFT expects. + policy to be semantically correct with what NFT expects. If NFT doesn't have + a keyword for a type, it uses the raw type code as an integer. https://www.netfilter.org/projects/nftables/manpage.html Function is used inside PortsAndProtocols. @@ -152,6 +153,17 @@ def MapICMPtypes(self, af, term_icmp_types): 'inverse-neighbor-discovery-solicitation': 'ind-neighbor-solicit', 'inverse-neighbor-discovery-advertisement': 'ind-neighbor-advert', 'version-2-multicast-listener-report': 'mld2-listener-report', + 'icmp-node-information-query': '139', + 'icmp-node-information-response': '140', + 'home-agent-address-discovery-request': '144', + 'home-agent-address-discovery-reply': '145', + 'mobile-prefix-solicitation': '146', + 'mobile-prefix-advertisement': '147', + 'certification-path-solicitation': '148', + 'certification-path-advertisement': '149', + 'multicast-router-advertisement': '151', + 'multicast-router-solicitation': '152', + 'multicast-router-termination': '153', }, 4: { # IPv4 exceptions below @@ -160,7 +172,10 @@ def MapICMPtypes(self, af, term_icmp_types): 'information-reply': 'info-reply', 'mask-request': 'address-mask-request', 'mask-reply': 'address-mask-reply', - } + 'alternate-address': '6', + 'conversion-error': '31', + 'mobile-redirect': '32', + }, } for item in term_icmp_types: diff --git a/policies/pol/sample_nftables-mixed-icmp.pol b/policies/pol/sample_nftables-mixed-icmp.pol index 2adc4b61..f17e79d7 100644 --- a/policies/pol/sample_nftables-mixed-icmp.pol +++ b/policies/pol/sample_nftables-mixed-icmp.pol @@ -43,7 +43,7 @@ term test-icmp-type-ip4 { term test-icmp-type-ip6 { comment:: "IPv6 icmp-type test" - icmp-type:: multicast-listener-done router-solicit router-advertisement + icmp-type:: multicast-listener-done router-solicit router-advertisement multicast-router-solicitation multicast-router-advertisement protocol:: icmpv6 action:: accept } diff --git a/tests/lib/nftables_test.py b/tests/lib/nftables_test.py index ba098611..ea9d437b 100644 --- a/tests/lib/nftables_test.py +++ b/tests/lib/nftables_test.py @@ -265,7 +265,7 @@ def __init__(self, in_dict: dict): ICMPV6_MULTI_TERM = """ term good-icmpv6-type { comment:: "IPv6 ICMP accept many types" - icmp-type:: router-solicit router-advertisement neighbor-advertisement neighbor-solicit + icmp-type:: router-solicit router-advertisement neighbor-advertisement neighbor-solicit multicast-router-solicitation multicast-router-advertisement protocol:: icmpv6 action:: accept } @@ -626,7 +626,7 @@ def testICMPv6type(self): self.assertIn( ( 'icmpv6 type { nd-router-solicit, nd-router-advert,' - ' nd-neighbor-advert, nd-neighbor-solicit } accept' + ' nd-neighbor-advert, nd-neighbor-solicit, 152, 151 } accept' ), nft, )